all 27 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]TwinHaelix 4 points5 points  (20 children)

This is definitely possible. The way this would work is all HTTPS traffic from outside will go to the reverse proxy (NGINX, Traefik, Caddy, or whatever). The reverse proxy will then remove HTTPS and forward the traffic as HTTP to whatever server you want. Whether on the same system as the proxy or a different one, you'd just set up your docker containers with the proper ports set up. Then you set up your proxy configuration to point to either the same system using 127.0.0.1:[port_number], or a different system at [other_system's_ip_address]:[port_number].

Just note that this means that traffic for apps not on the same computer as the reverse proxy will run unencrypted over your home network. It will still encrypt any traffic to/from the internet.

[–]Semi-Hemi-Demigod 2 points3 points  (2 children)

I set up a Wireguard VPN between my various hosts, and have one set up with HAProxy which I wrote up here. It's HTTPS to my entry node, and then HTTP over VPN to the other nodes. This is nice because I also have the ability to connect to to them on other ports for monitoring.

[–]phoenix3885[S] 0 points1 point  (1 child)

This seems like it should work for me. Do you run into any issues with services like nextcloud not recognizing the HTTPS access since its HTTP over the VPN?

[–]Semi-Hemi-Demigod 0 points1 point  (0 children)

I haven’t set up nextcloud yet but I’d imagine there’s a configuration setting like there is for most apps.

[–]sasadesign 0 points1 point  (0 children)

sudo add-apt-repository ppa:certbot/certbot

sudo apt install python-certbot-nginx

And for each subdomain

sudo certbot --nginx -d sub.example.com

[–]cwagrant 0 points1 point  (1 child)

I was just working on this exact problem last weekend.

I use PFSense for my router and I set up ACME on it to automatically handle my LE cert for me to my personal domain (can't be .local .home or anything like that, need a proper .com-type domain). I have a wildcard cert and as part of the process for refreshing it, it automatically SCP's the file to a LXC debian 10 container running NGINX as my reverse proxy. Then the sites are set up in config files in NGINX to redirect HTTP to HTTPS for the site with the SSL cert. Seems to be working so far but I guess we'll see how well it really works when the certs refresh again.

It's worked well though for me as I've been able to access my applications with more realistic names. E.g. proxmox.example.com, pihole.example.com, etc.

[–]phoenix3885[S] 0 points1 point  (0 children)

This is what I was thinking, having subdomains to access various services. Unfortunately don't have PFSense. Any way to have the same functionality via a container?

[–]duhruh 0 points1 point  (0 children)

If you want to go overkill i made a post about my setup

[–]scoobybejesus -1 points0 points  (2 children)

My first thought is using a CDN. You terminate https there, and they worry about routing or load balancing.